Support for Azure Disk Encryption-protected machines
We need to be able to use ASR to protect/replicate Azure virtual machines protected by Azure Disk Encryption.
VMs enabled for encryption with Azure AD app are supported. Refer this to enable to enable replication of Azure disk encryption (ADE) enabled VMs, from one Azure region to another – https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms
Savita Swamy commented
ADE encrypted VM is already replicating to Azure. Now, I have new disk which is initialized in my VM, which has given me warning alert as one disk is not proetected. I want to add that disk to replication. But when adding the disk, it fails in pre requisite only saying "Add disk operation not allowed for virtual machines encrypted using Azure disk encryption (ADE)."
Any way to add this disk in replication?
Does ASR now finally support ADE encryption ( the model not using AAD app to encrypt ) ?
Sam Khanjar commented
How about VM's that have already been encrypted using Azure VM extension for ADE? (i.e. ADE without AAD app registration)
Peter Bollwerk commented
Based on the Azure documentation, there appear to be 2 ways to encrypt VMs.
1) Azure Disk Encryption (ADE)
2) Azure Disk Encryption with Azure Active Directory (ADE w/ AAD)
Currently, Azure Site Recovery doesn't support VMs encrypted using method 1. Unfortunately, all of our VMs are encrypted like this and it appears we would have to recreate all of our VMs if we wanted to switch to using method 2, to support Azure Site Recovery. This is obviously not a desirable option, so we were wondering if there are plans for Azure Site Recovery to support VMs encrypted using method 1.
I was able to accomplish this successfully untill it's officially supported
Mark van de Beek commented
Ideally there would be an option to enable disk encryption on the replica disk in the DR site. Currently it isn't possible to add an Azure VM to ASR when ADE is enabled but the workaround is to add the VM to ASR before ADE is applied. And use the console to enter the recovery key when the failover has taken place. This workable for a few VM's but for complete site failover this unmanageable.